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1. Introductions and apologies 


Lid. Apologies were received from Elizabeth Denham, 
Matthew Atkinson (NAO) and Peter Cudlip (Mazars). 
1.2. The Chair welcomed Sid Sidhu to the meeting as the 


new National Audit Office Director responsible for the 
Department of Culture, Media and Sport; Andrew Hubert as 
the new Director of Resources; and Chris Braithwaite as the 
new Senior Corporate Governance Officer. 


2, Declaration of interests 
2.1. No declarations were made. 


3. Matters arising from the previous meeting 
3.1. The minutes of the previous meeting were agreed. 


3.2. Paul Arnold explained that the Terms of Reference of 
the Remuneration Committee had been updated and shared 
with the Trade Unions Paul Arnold agreed that further 
updates could be provided to the next meetings of the 
Management Board and Audit Committee. 


Action 1: Paul Arnold to provide an update regarding 
the Remuneration Committee to be provided to the 
Management Board's November meeting. 


Action 2: Paul Arnold to provide to provide a further 
update on the Remuneration Committee to be provided 
to the Audit Committee's January meeting. 


3.3. The Committee requested that an update be provided to 
the next meeting regarding the programme and progress 
towards agreeing the 2018/19 Financial Statements. 


Action 3: Heather Dove and Chris Braithwaite to 
provide a report to the January meeting regarding the 
programme and progress towards agreeing to the 
2018/19 Financial Statements. 


4.  DCEO’s update 


4.1. Paul Arnold updated the Committee on major issues 
affecting the ICO, in particular progress towards the EU Exit. 


4.2. The Committee was provided with an update regarding 
ongoing major investigations, including the potential cost of 
the investigations. 


4.3. Paul Arnold explained that over the last quarter, 
significant work had been done to develop the new People 
Strategy, inducting new staff into the organisation (including 


the new tier of Directors below the Executive Team) and 
updating risk management and business planning processes 
in order to embed these practices into the business. 


5. Risk and Opportunity Management — Full Review 


5.1. Louise Byers informed the Committee that a full review 
of the ICO’s Risk and Opportunity Register had been 
completed in September 2018. The Committee welcomed the 
new format for the register and agreed that it was beneficial 
for the Committee to review the full register on an annual 
basis. 


5.2. The Committee noted that there were a large number of 
risks rated as red and suggested that scenario planning 
should be conducted to determine the impact if multiple red 
risks materialised in the same time period. There were likely 
to be interdependencies between these risks which could 
have a significant impact in such a scenario. It was suggested 
that contingencies could be added within the actions to 
control the risks. 


Action 4: Paul Arnold to ensure that scenario planning 
be conducted to determine the impact of multiple red 
risks materialising in the same time period. 


5.3. The Committee discussed whether the number of red 
risks indicated that risks were habitually being rated too 
highly. Paul Arnold commented that this may be the case, but 
given the recent changes in the organisation, it was 
appropriate to err on the side of prudence. He expected many 
of the risks to reduce in the coming weeks and months, 
particularly demand-related risks, as these would be 
mitigated by improvements in workforce capability and 
flexibility of resources. 


5.4. The Committee discussed the top risk within the 
register, which was related to the exit from the European 
Union. 


Action 5: Paul Arnold to provide a report on EU Exit 
planning to the next Management Board meeting. 


6. Finance 


6.1. Heather Dove introduced the August finance report, 
which had been circulated in advance of the meeting. 


7. Outstanding audit actions 


7.1. Chris Braithwaite confirmed that there are no late 
recommendations and that three recommendations had been 
cleared since the last meeting. 


8. Internal audit (Mazars) 


8.1. Gary Stewart introduced a report providing an Internal 
Audit progress update, highlighting that the IT audits (IT 
Strategy and Cyber Security) had been moved to Q4 
2018/19, to allow the new IT management structure to 
become embedded in the organisation. 


8.2. Michaela Spiller introduced reports providing 
information of the completed audits (Assurance Mapping and 
Financial and Budget Planning). 


8.3. The Committee agreed that although the Assurance 
Mapping audit had been advisory, the actions should be 
included within the regular Outstanding Audit 
Recommendations report. 

Action 6: Chris Braithwaite to include the 
recommendations from the Assurance Mapping audit in 
the regular Outstanding Audit Recommendations 
report. 


9. External audit (NAO/BDO) 


9.1. Sid Sidhu confirmed that there were no specific external 
audit matters to raise for discussion which had not already 
been discussed. 


10. Lessons learnt —August 2018 website outage 


10.1. Paul Arnold presented a report on lessons learnt from 
the ICO’s website outage in August 2018. 

10.2. Sid Sidhu commented that the ICO should ensure that 
the risk of a website outage was reflected within the risk and 
opportunity register. 


11. Gifts and Hospitality Policy and Third Party Collaboration 
Policy 
11.1. Louise Byers presented a report setting out a revised 


version of the ICO’s Gifts and Hospitality Policy and a new 
Third Party Collaboration Policy. 


11.2. The Committee agreed that Non-Executive Directors 
and the Independent Member should be asked to provide a 


quarterly return on the gifts and hospitality they had 
received. 


Action 7: Chris Braithwaite to ask Non-Executive 
Directors and Independent Members to provide a 
quarterly return on the gifts and hospitality they had 
received. 


11.3. The Chair asked whether the policy with regard to Air 
Miles was in line with standard practice in the public sector. It 
was agreed that this aspect of the policy could be reviewed. 


Action 8: Chris Braithwaite to review the treatment of 
Air Miles in the Gifts & Hospitality Policy to ensure it is 
in line with standard practice in the public sector. 


12. Fraud, Whistleblowing and security — Q1 and Q2, 2018/19 


12.1. Chris Braithwaite presented a report which provided 
information of security incidents in Q1 and Q2 of 2018/19. No 
incidents of fraud or whistleblowing had been reported. The 
Committee requested that future reports include more 
analysis of the causes of incidents and mitigating actions 
taken as a result. 


Action 9: Chris Braithwaite to ensure that future Fraud, 
Whistleblowing and Security reports include more 
analysis of the causes of incidents and mitigating 
actions taken as a result. 


13. NAO Guidance 


13.1. Chris Braithwaite presented a report which provided the 
Committee with the NAO’s October 2018 “Round-up for Audit 
Committees”. 


13.2. The Chair informed the Committee that she would be 
attending a meeting of DCMS Audit Chairs on 6 November. 
14. ICO Organisation Chart 


14.1. The Committee was provided with an updated version of 
the ICO’s Organisation Chart, following the significant 
changes to the ICO’s structure since the last Committee 
meeting. 


15. Any other urgent business 


15.1. There were no items of other business. 


